Security Engineer, Application Security at Affirm
What You'll Do
- Develop application security and product best practices to standardize security practices.
- Provide security design review and code reviews to the organization to ensure the product features meet security requirement and best practices.
- Review, analyze, and evaluate both internally developed software and vendor products and procedures to address security requirements and concerns.
- Serve as subject matter expert for static and dynamic analysis security tools.
- Work with DevOps engineers to integrate static and dynamic analysis security tools into CI/CD pipelines.
- Interpret security tools findings, 3rd penetration testing results, and bug bounty program submissions.
- Provide vulnerability remediation guidance and mentoring to product development software engineers.
- Develop company-wide security projects and processes to discover security defects in source code, dependencies, and/or other artifacts.
- Develop and improve documentations on security processes and procedures.
- Build metrics to track security defects and automate the collection of security information to derive metrics.
- Enable automation of product security testing and find innovative ways to scale the security team.
- Evaluation of new technologies, tools, and/or development techniques that impact security.
What We Look For
- Team player, high work ethics, attention to details is a must.
- Ability to communicate effectively with business representatives in explaining security topics clearly and where necessary, in layman's terms.
- Experience with Cloud and virtualized technology in environments such as AWS or GCP.
- Ability to efficiently communicated security to any audience, such as explaining vulnerabilities and weaknesses in the OWASP Top 10, WASC, and/or CWE 25 and discuss effective defensive techniques and countermeasures to both business and engineering staff.
- Deep understanding of network protocols such as HTTP and SSL/TLS.
- Familiar with means to defend modern Web applications and APIsFamiliarity with dynamic and static analysis tools and ability to interpret dynamic/static analysis tools, and penetration test results and describe issues and fixes to non-security experts.
- Familiarity with common reconnaissance, exploitation, and post-exploitation frameworks.
- Deep understanding of continuous integration / continuous deployment processes and tools.
- Ability to automate tasks using a scripting language (Python, Shell, etc).
- Security certification such as CISSP, OSCP is a plus.
- BA/BS degree in a related field or equivalent experience is a plus.